Bad news for bloggers as well as their readers: IT researchers in Finland recently discovered a four-year-old comment security bug estimated to affect up to 86 percent of all current WordPress sites.
Finnish IT firm Klikki Oy announced on its own blog that it
has located a critical security vulnerability in WordPress. The problem affects version 3 of the blogging and content management system. According to WordPress's statistics as of November 20, about 86% of all WordPress sites used a vulnerable version. At the time of reporting (September 2014), the percentage was about 90%. In order to exploit the vulnerability, the attacker needs a text entry field such as the comment form which is enabled by default.
WordPress 3 was first introduced in 2010; according to Klikki Oy, the security bug has been present all that time.
By the way, while WordPress was created as a blogging platform -- you know, for people who work at home in their pajamas -- it has since become by far the most widely used content management system anywhere. It users include CNN, eBay, the Guardian and just about everyone else, so don't assume you never visit WordPress sites.
What it means
As a practical matter, what does this mean for blog readers or producers? Blogs that don't allow comments – those with no text entry fields, in other words – basically have nothing to worry about, even if they use WordPress 3. Klikki Oy clarifies that, “The exploit requires a text entry field. A site using a vulnerable version isn't always exploitable.”
As for those blogs which are vulnerable … that's a different matter. If your WordPress 3 blog (or even a blog you occasionally visit and read, whether you leave comments or not) allows the posting of comments without requiring authentication, then a hacker can post a comment containing malicious code targeting any site visitors or administrators.
Klikki Oy was also able to use the exploit to successfully hijack a WordPress site administrator's session – a hacker could then have used that ability to lock the administrator out of his own site, and use it for malicious purposes of his own.
Blogs powered by WordPress version 4.0, released in September, are not vulnerable to this comment bug. However, late last week WordPress released a security update for 4.0, to fix some unrelated cross-site scripting problems.